Navigate

AC-3 (8)

AC-3 (8): Revocation Of Access Authorizations

The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].

Supplemental

Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process) is removed from a group, access may not be revoked until the next time the object (e.g., file) is opened or until the next time the subject attempts a new access to the object. Revocation based on changes to security labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if information systems cannot provide such capability and immediate revocation is necessary.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-3 (8).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of AC-3 (8).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-3 (8).

CCI	Definition
CCI-002177	The organization defines the rules which will govern the timing of revocation of access authorizations.
CCI-002178	The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.
CCI-002179	The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.